Hello, I'm security guard PR.
There are many security control companies in Korea.
Let's look at how multiple security equipment and solutions know and respond to network intrusions.
There are a lot of detection solutions, but network security is the most important thing to do
➤ Respond to real-time monitoring and attacks with IDS/IPS + SIEM (ESM).
[Real-time Attack Detection Process]
1. Setting IDS/IPS signatures and threshold-based security policies
2. Collect and analyze SIEM (ESM) security equipment integrated log collection (correlation analysis)
3. Receive attack event detection
4. Block attackers from appropriate security equipment by attack type
※ Attacker IP: Firewall/Web Attack: Web Firewall/DDoS Attack: Anti-DDoS, etc.
5. Reporting and reporting the completion of event actions
A firewall is the most basic system in security, and it is often compared to a castle gate.
The firewall passes through the users applied to the security policy and blocks traffic above the set threshold.
However, ports such as TCP-80 (HTTP), TCP-8080 (HTTPS), 25 (SMTP), 53 (DNS), and 110 (POP3) are open to an unspecified number of users.
It means that you can't block it in a firewall.
If a network attack is introduced to an open TCP-80 (HTTP) or TCP-8080 (HTTPS) for web services, a solution is needed to detect, determine and block the attack.
The representative equipment is IDS, IPS, and Web Firewall (WAF) and we will post about IDS and IPS today.
What is Intrusion Detection System (IDS)?
It can be likened to a soldier guarding the gate of the Infiltration Detection System (IDS). IDS is divided into host-based HIDS and network-based NIDS, depending on the location and purpose of the installation, but we will talk about it based on the Network-Based Intrusion Detection System (NIDS) used in security controls.
IDS is essential for security control.
This is a security log collector that can detect abnormal behavior of various service ports that have passed firewall policies in real time and perform various reporting tasks through SIEM interworking.
The configuration receives network packets from the backbone switch to the Mirror Port setting and sends event alarms to the security controller in real time when patterns applied to the security policy are detected.
So why do we need IPS?
What is an Intrusion Prevention System (IPS)?
Equipment that has added a blocking function to an existing IDS.
IDS has no blocking capability, so the controller manually blocked the attacker's IP through the firewall. In addition, the increase in worm viruses around 2003 necessitated an efficient pattern-based blocking solution, and IPS emerged at this time.
Although it has been an integral part of security for some time, it has grown into a so-called Next Generation Intrusion Prevention System (NGIPS) due to the increasing need for detection/blocking of attack techniques, application-level web filtering, APT, etc. and tremendous fatigue of controllers due to misuse, over-detection, and non-detection.
Or, some security controls use the IPS function of UTM.
Unified Threat Management (UTM) firewall + IDS + IPS +VPN, which integrates network security solutions.
The difference between UTM and IDS/IPS is that they are used as dedicated equipment to provide better detection/blocking performance and more detailed security policies than UTM.
Additionally, each security control company has a different quality.
When new vulnerabilities occur, they update their detection policies quickly, and sometimes, depending on the security guard's skill in responding to attacks, they detect or fail to detect attack events quickly.
This is directly linked to the quality of control of a security control company.
[IDS/IPS Policy Management Process]
1. Update new security policies (patterns) through attack pattern analysis when new vulnerabilities occur
2. Minimize false, over- and non-detection through existing detection policy trouble shooting
3. Improving the speed of response through training of security controllers
4. Secure Sockets Layer (SSL) bypassing signature-based IDS/IPS, preparing detection response processes such as website forgery and webshells - WAF, web shell detection/blocking solutions, Anti APT, etc.
[IDS/IPS/NGIPS Makers]
▶ Domestic: Wins, KornicGlory, Secui, Ahnlab
▶ Overseas: Cisco, McAfee, IBM
'Solutions(솔루션)' 카테고리의 다른 글
| Ransomware Realistically Defends (Enterprise) (0) | 2020.05.29 |
|---|---|
| What about the Anti-DDoS attack? What keeps happening? (0) | 2020.05.29 |
| Information Security Specialist's Annual Salary Disclosure!!! (0) | 2020.05.29 |
| How should a security officer at a small business set up a security plan? (0) | 2020.05.29 |
| Ransomware is targeting your PC (0) | 2020.05.29 |
댓글